WS 2008 R2 Active Directory: Diving in to the core

Siddharth Bhai
Program Manager, Microsoft Corp Presented at the Windows Networking User Group on Feb 3, 2010.

Agenda
Windows Server 2008 R2 AD Recycle bin Offline Domain Join AD Technologies QnA

Windows Server 2008 R2

Comprehensive PowerShell commands Task based management UI

to manage ADDS and ADLDS simplifies IT Pro workflows

AD Recycle Bin

saves AD objects and jobs from accidental deletion

streamlines data center deployments

Active Directory

Offline Domain Join

Managed-Service reduces service Accounts management costs Authentication assurance

enables enforcement of federation policies

Our focus Today

Comprehensive PowerShell commands Task based management UI

to manage ADDS and ADLDS simplifies IT Pro workflows

AD Recycle Bin

saves AD objects and jobs from accidental deletion

streamlines data center deployments

Active Directory

Offline Domain Join

Managed-Service reduces service Accounts management costs Authentication assurance

enables enforcement of federation policies

AD Recycle Bin
What is it?
allows recovery of any deleted Active Directory object in its complete & original condition

What do you need to know?

you are able to fully recover deleted-objects there is a configurable interval for the duration in which a deleted object can be recovered

How do you prep to use it?

requires forest-functional level 4 (WIN2008R2) You must manually enable the feature

Recycle Bin Object Lifecycle

Windows Server 2008
- no Recycle Bin feature

Live Windows Server 2008 Object - with Recycle Bin enabled

Tombstone Object

Garbage Collection

Live Object

Deleted Object

Recycled Object

Garbage Collection

Recycle Bin Object Lifecycle

180 Days Windows Server 2008
Live Object Tombstone Object
Returns Tombstones

Garbage collection

LDAP OID 1.2.840.113556.1.4.417

Returns Deleted

Windows Server 2008 R2 - with Recycle Bin enabled

Live Object Deleted Object

LDAP OID 1.2.840.113556.1.4.2064

Returns Deleted and Recycled

Recycled Object

Garbage collection

180 Days

180 Days

Recycle Bin details

What was the configurable interval you told us about?
Deleted Object Lifetime (DOL) = TombStone Lifetime (TSL) = 180 days (by default) AD admins : Changes in notion of TSL (Deleted Object Lifetime or DOL)

both can be modified independently (cn=Directory Services,cn=Windows NT, cn=Services, cn=Config)

msDS-deletedObjectLifetime tombstoneLifetime

What does this mean for my backups?

backups remain valid for the lesser of DOL, TSL

Restore an object
<

Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

Demand-deletion aka. instant-recycle (double-delete)

delete the object from the Deleted Objects container
Get-ADObject Filter {<suitable filter>} IncludeDeletedObjects | Remove-ADObject

Deleted Object Lifetime

DeletedObjectLifetime
Is the period during which a deleted object can be restored, fully without loss of attributes Not set by default
If DOL = null, a deleted object stays deleted for tombstoneLifetime (fallback)

Recycled Object Lifetime

tombstoneLifetime is the actual attribute (default = 180 days) User should not worry about this as it is simply an artifact of replication Too short lingering objects; too long database bloat

Recycle Bin impact to your AD deployment

Impact on the DIT
the first Windows Server 2008 R2 DC generates churn, why?
DIT-size on existing downlevel DCs initially remains (mostly) unaffected
replicated isRecycled property represents a trivial increase in size

DIT-size on Windows Server 2008 R2 DC instantly ~10-15% larger than non-R2 DCs
due to additional columns and indices that are present from day-one

once Recycle Bin is turned on, expect 10-15% plus ongoing impact of new deletions

Feature NOT enabled by functional level alone

our first (and currently only) optional feature optional features need to be switched on / bound to schema FSMO
Enable-ADOptionalFeature Recycle Bin Feature Scope ForestOrConfigurationSet Target {target DC or LDS-instance DN}

Resulting behavioral changes

once object isRecycled, traditional tombstone reanimation blocked

Windows 7 Optional Features

CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com

CN=Partitions, CN=Configuration, DC=contoso,DC=com

Recycle Bin recovering objects

Deleted Objects container
flat list of objects in deleted state RDN mangled (<RDN>+DEL:+CHAR(0A)) linked/non-linked attributes preserved
lastKnownParent and lastKnownRDN populated

Delete

Restore objects to live parent

deleted objects MUST be restored to a live parent
perform restore top-down
\0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL:...

lastKnownXX properties useful in rebuilding hierarchy

Deleting an Object
Object deletion in WS08: isDeleted=TRUE lastKnownParent set Moved to the DeletedObjects container DN is mangled rDN beyond 128 char would be truncated Hierarchy is effectively flattened All but a few non-linked attributes (e.g. GUID, SID, sidHistory, etc.) are preserved All linked attributes (e.g. member/memberOf) are stripped away Only visible with ShowDeletedObjects LDAP control Purged after tombstoneLifetime expires Object deletion in WS08 R2: isDeleted=TRUE; isRecycled=NULL lastKnownParent, ms-DS-lastKnownRDN set Moved to the DeletedObjects container DN is mangled rDN beyond 128 char would be truncated Hierarchy is effectively flattened All non-linked attributes are preserved All linked attributes are preserved Only visible with ShowDeletedObjects LDAP control Purged after deletedObjectLifetime expires if that value is set, else after tombstoneLifetime expires

Restoring an Object
Object restoration in WS08: Object restoration in WS08 R2:

Delete isDeleted attribute

Change DN based on lastKnownParent and mangled DN Only some non-linked attributes (e.g. GUID, SID, sidHistory, etc.) are restored import old values from snapshots None of the linked attributes (e.g. member/memberOf) are restored regenerate links using LDIFs from auth restore Tool: ldp.exe

Delete isDeleted attribute

Change DN based on lastKnownParent and ms-DSlastKnownRDN All non-linked attributes are restored

All linked attributes, even crossdomain links, are restored

Tool: ldp.exe, Active Directory PowerShell

How an Object is Deleted

In WS08:
Object is first locally deleted
Non-linked attributes that are not preserved are cleared (in the data table) All linked attributes are removed (from the link table)

Object deletion is replicated

isDeleted=TRUE is the replicated event Same operations as above are repeated on each notified DC Cross-domain DCs are notified as follows:
Infrastructure Master checks Global Catalog server for referenced objects with mangled DN (indicating object deletion) If so, creates an InfrastructureUpdateObject to trigger deletions of object on various DCs

How an Object is Deleted

In WS08 R2:
Object is first locally deleted
All non-linked attributes are preserved (in the data table) All linked attributes (in the link table) are marked as deactivated

Object deletion is replicated

isDeleted=TRUE is the replicated event Same operations as above are repeated on each notified DC Cross-domain DCs are notified as follows:
Every DC checks Global Catalog server for referenced objects with mangled DN (indicating object deletion) If so, deletes object locally

AD LDS has Recycle Bin too!

Ensure all instances in the configuration set are running Windows Server 2008 R2
Use LDIFDE to extend schema using MSADAM-Upgrade-2.LDF shipped inbox

Restoring Object(s) - ADPsh

#Restore a single object Get-ADObject -Filter {displayName -eq "Mary"} IncludeDeletedObjects | Restore-ADObject #Restore a tree

Get-ADObject -ldapFilter:"(msDSLastKnownRDN=Finance_Department)" IncludeDeletedObjects | Restore-ADObject

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Finance_Department,DC=contoso,DC=com"} IncludeDeletedObjects | Restore-ADObject Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Admins,OU=Finance_Department,DC=contoso,DC=com"} IncludeDeletedObjects | Restore-ADObject

Setting object lifetimes - ADPsh

#Change deletedObjectLifetime
Set-ADObject -Identity CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com Partition CN=Configuration,DC=mydomain,DC=com Replace:@{msDS-DeletedObjectLifetime = 60}

#Change tombstoneLifetime
Set-ADObject -Identity CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com Partition CN=Configuration,DC=mydomain,DC=com Replace:@{tombstoneLifetime = 365}

Offline Domain Join (ODJ)

What does it do?
allows a client to fully achieve a domain-joined state without ever having communicated with a domain controller

What do you need to know?

machines are domain-joined on initial boot without requirement for network connectivity reduces reboots / time needed to deploy OS images

How do you prep for it?

NO forest or domain functional level requirement NO Windows Server 2008 R2 DCs required joining machine must, however, be Windows 7 client or Windows Server 2008 R2 member

ODJ try it yourself

1. 2. 3. 4. Get a new Windows 7 client or Windows Server 2008 R2 machine Gracefully shut down the new machine Gain writeable access to the new machines physical or virtual disk On a second domain-joined machine & using domain-join-capable credentials, run
djoin /provision /domain <target domain> /machine <new machine name> /savefile <filename> djoin /requestODJ /loadfile <filename> /windowspath <path to new machines %windir%>

5. Reboot new machine its now in a fully domain-joined state

ODJ specifics on the blob

Offline Join: Developer Support

NET_API_STATUS NetProvisionComputerAccount( __in LPCWSTR lpDomain, __in LPCWSTR lpMachineName, __in_opt LPCWSTR lpMachineAccountOU, __in_opt LPCWSTR lpDcName, __in DWORD dwOptions, __out_opt PBYTE pProvisionBinData, __out_opt DWORD pdwProvisionBinDataSize, __out_opt LPWSTR pProvisionTextData );

NET_API_STATUS NetRequestOfflineDomainJoin( __in BYTE *pProvisionBinData, __in DWORD cbProvisionBinDataSize, __in DWORD dwOptions, __in LPCWSTR lpWindowsPath );

Offline Join: The Possibilities

Rapid deployments in next-gen datacenters
Goal: Deploy 1000 new servers every 30 minutes.

Integration into service offerings

Would you considering including it in your IT services offering? Web-based interface workflow for create, download, apply, join

Your thoughts?

Active Directory Technologies

AD Domain Services
AD DS

AD Rights Management Services AD RMS

AD Lightweight Directory Services AD LDS

AD Certificate Services AD CS

AD Federation Services AD FS

Resources
Active Directory Recycle bin Step-By-Step:
http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx

Offline Domain Join Step-By-Step:

http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx

Active Directory technologies:

http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx

Thank You!